CI/supply-chain security hardening (#316)

ciaranra · web-flow · commit ee95d80ddc21 · 2026-05-22T20:10:43.000-06:00
* Drop stray planning reference from pyproject test-dependency comment

* Add SHA-pinned step-security/harden-runner (egress audit) as the first step of every CI job

* Document IoC-list maintenance/refresh process in dependency-integrity-check

* Dependency hygiene: add Dependabot gomod coverage and pin a non-vulnerable Pillow floor in docs

* Drain Go stdlib advisories: bump go/pecos go directive 1.18 -&gt; 1.26.3 (stdlib-only module, no deps)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -62,3 +62,18 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]
+
+  # Go (gomod) - security updates only. Watches the Go module that was
+  # previously uncovered (its transitive tree had accumulated advisories).
+  - package-ecosystem: "gomod"
+    directory: "/go/pecos"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    groups:
+      go-security:
+        applies-to: security-updates
+        patterns: ["*"]
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch", "version-update:semver-minor", "version-update:semver-major"]
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
@@ -35,6 +35,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -40,6 +40,11 @@ jobs:
             build-mode: none
 
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
diff --git a/.github/workflows/cuda-build-check.yml b/.github/workflows/cuda-build-check.yml
@@ -35,6 +35,11 @@ jobs:
   cuda-build-check:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -104,6 +109,11 @@ jobs:
   cuda-testing-info:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: CUDA Testing Requirements
         run: |
           echo "=============================================="
diff --git a/.github/workflows/dependency-integrity-check.yml b/.github/workflows/dependency-integrity-check.yml
@@ -25,6 +25,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -54,6 +54,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
diff --git a/.github/workflows/github-actions-security.yml b/.github/workflows/github-actions-security.yml
@@ -39,6 +39,11 @@ jobs:
       contents: read
       actions: read
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
@@ -44,6 +44,12 @@ jobs:
         go-version: ["stable"]  # Latest stable (experimental bindings)
 
     steps:
+    - name: Harden the runner (egress audit)
+      if: runner.os == 'Linux'
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
diff --git a/.github/workflows/go-version-consistency.yml b/.github/workflows/go-version-consistency.yml
@@ -25,6 +25,11 @@ jobs:
   check-go-versions:
     runs-on: ubuntu-latest
     steps:
+    - name: Harden the runner (egress audit)
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
diff --git a/.github/workflows/julia-release.yml b/.github/workflows/julia-release.yml
@@ -60,6 +60,11 @@ jobs:
     outputs:
       run: ${{ steps.check.outputs.run }}
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Check if should run on PR push
         id: check
         env:
@@ -104,6 +109,12 @@ jobs:
             architecture: x86_64
 
     steps:
+      - name: Harden the runner (egress audit)
+        if: runner.os == 'Linux'
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -267,6 +278,12 @@ jobs:
             os: macos-latest
             architecture: aarch64
     steps:
+      - name: Harden the runner (egress audit)
+        if: runner.os == 'Linux'
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -346,6 +363,11 @@ jobs:
       needs.test_binaries.result == 'success'
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -475,6 +497,11 @@ jobs:
       needs.test_binaries.result == 'success'
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.sha || github.sha }}
diff --git a/.github/workflows/julia-test.yml b/.github/workflows/julia-test.yml
@@ -44,6 +44,12 @@ jobs:
         julia-version: ["1"]  # Latest stable (experimental bindings)
 
     steps:
+    - name: Harden the runner (egress audit)
+      if: runner.os == 'Linux'
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
diff --git a/.github/workflows/julia-update-hash.yml b/.github/workflows/julia-update-hash.yml
@@ -27,6 +27,11 @@ jobs:
       pull-requests: write
 
     steps:
+    - name: Harden the runner (egress audit)
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
diff --git a/.github/workflows/julia-version-consistency.yml b/.github/workflows/julia-version-consistency.yml
@@ -25,6 +25,11 @@ jobs:
   check-julia-versions:
     runs-on: ubuntu-latest
     steps:
+    - name: Harden the runner (egress audit)
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       with:
         persist-credentials: false
diff --git a/.github/workflows/python-release.yml b/.github/workflows/python-release.yml
@@ -53,6 +53,11 @@ jobs:
     outputs:
       run: ${{ steps.check.outputs.run }}
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Check if should run on PR push
         id: check
         env:
@@ -122,6 +127,12 @@ jobs:
             install_cuda: true
 
     steps:
+      - name: Harden the runner (egress audit)
+        if: runner.os == 'Linux'
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -371,6 +382,12 @@ jobs:
             os: macos-15
             architecture: aarch64
     steps:
+      - name: Harden the runner (egress audit)
+        if: runner.os == 'Linux'
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -434,6 +451,11 @@ jobs:
       needs.build_wheelspecos_rslib.result == 'success'
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -488,6 +510,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -543,6 +570,11 @@ jobs:
       needs.test_abi3_wheels.result == 'success'
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Create distribution directories
         run: |
           mkdir -p dist/pecos-rslib
diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml
@@ -50,6 +50,12 @@ jobs:
             python-version: "3.14"
 
     steps:
+    - name: Harden the runner (egress audit)
+      if: runner.os == 'Linux'
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+      with:
+        egress-policy: audit
+
     - name: Free Disk Space (Ubuntu)
       if: runner.os == 'Linux'
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
@@ -243,6 +249,12 @@ jobs:
     runs-on: windows-2022
     timeout-minutes: 45
     steps:
+      - name: Harden the runner (egress audit)
+        if: runner.os == 'Linux'
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
diff --git a/.github/workflows/python-version-consistency.yml b/.github/workflows/python-version-consistency.yml
@@ -21,6 +21,11 @@ jobs:
   check_python_workspace:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
diff --git a/.github/workflows/rust-test.yml b/.github/workflows/rust-test.yml
@@ -45,6 +45,11 @@ jobs:
   rust-lint:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -106,6 +111,11 @@ jobs:
   rust-lint-no-llvm:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -139,6 +149,11 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
@@ -168,6 +183,12 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-2022]
 
     steps:
+      - name: Harden the runner (egress audit)
+        if: runner.os == 'Linux'
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
diff --git a/.github/workflows/rust-version-consistency.yml b/.github/workflows/rust-version-consistency.yml
@@ -19,6 +19,11 @@ jobs:
   check_rust_versions:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (egress audit)
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
diff --git a/.github/workflows/selene-plugins.yml b/.github/workflows/selene-plugins.yml
diff --git a/.github/workflows/test-docs-examples.yml b/.github/workflows/test-docs-examples.yml
diff --git a/go/pecos/go.mod b/go/pecos/go.mod
diff --git a/pyproject.toml b/pyproject.toml
diff --git a/python/quantum-pecos/docs/requirements.txt b/python/quantum-pecos/docs/requirements.txt
diff --git a/scripts/dependency-integrity-check.sh b/scripts/dependency-integrity-check.sh
